Currently, CDAP always grants/revokes privileges on an entity creation/deletion. Although this is a convenient feature, it does not work well in enterprise environments. Many enterprises prefer to manage privileges in a centralized authorization provider (like Sentry or Ranger). This will allow them to use existing role/groups to manage the privileges across all systems.
Also this creates issues when authorization providers do not support the same authorization primitives that CDAP supports.
For instance - CDAP allows privileges to be defined using entities and users. Sentry only allows privileges to be defined using roles and groups. Hence every grant made on entity and user has to be translated into a grant on roles and group. This leads to creation of a lot of redundant roles/groups and causes performance issues.